Another security hole in Hotmail

Microsoft'sHotmail has acknowledged a security problem with its Web-based email service that could compromise the accounts of users in corporate computing environments.

The current problem comes on the heels of a series of bugs that plagued Hotmail
and other Web-based free email providers last month.

Hotmail downplayed its own responsibility for the current problem, however,
characterizing it as "largely a network security issue."

"It appears that if you're in an insecure network, behind a firewall with
another user, that second user can 'sniff' the traffic, including the Hotmail
URL or the cookie, as long as the first user is still logged onto the
service," said Sean Fee, director of product marketing at Hotmail.

Fee was referring to the practice of "packet sniffing," or monitoring data as it
passes through a network.

Fee said the intruder could access another account behind the same firewall
in one of two ways.

One is to swipe the cookie, or the file that Hotmail places on the user's
computer to identify that computer. Hotmail and other free email
providers rely on cookies because computers in corporate or other network
environments usually are assigned random IP (Internet protocol) addresses, rather than given one address per computer.

The other way is to steal the Web address, or URL, sent to and from Hotmail. By cutting and pasting that URL into a browser
window before the victim's session expires, the intruder can access the
account.

Hotmail's present security problem bears some resemblance to a hole BellSouth fixed last
month. In that situation, the BellSouth Web mail URLs were showing up on
the server logs of third-party Web sites that Web mail users visited
directly from their accounts.

In this case, however, Fee stressed that only users in "insecure networks"
were at risk.

The security hole also resembles problems in revealing users' Web mail addresses and other personal information that both Excite and Hotmail have
faced. But in this case, intruders can not only glean addresses and information, but also gain complete control over the user's account, letting them read, delete, and send mail under the victim's name.

The problem is the subject of a Web page by Chee Mun
Kean, a computer science student in Kuala Lumpur.

Both Fee and Chee recommended that users log out after completing their
Hotmail sessions, because intruders can only take advantage of this problem
if the account holder's session is still active. Hotmail sessions last two
hours unless the user logs out or shuts down the browser.

Fee said Hotmail engineers were examining Chee's description of the
problem.

"We will see if there are any appropriate steps that we can take to help
minimize user risk," he added.